There are plenty of reasons not to use hotel Wi-Fi. It’s often expensive, sluggish, and unreliable. Sometimes it seems like nobody knows the network password, and when trouble arises it’s hard to convince the front desk that there’s a problem with their network, not one with your devices.

Now you can add something new to that list: Hackers are using hotel Wi-Fi to steal data through zero-day vulnerabilities that companies like Adobe and Microsoft aren’t even aware of.

Kaspersky Lab has appropriately dubbed the attacks the Darkhotel APT. (It’s not as catchy as Heartbleed, but it’s a little more explanatory, I guess.) Darkhotel works by taking advantage of hotel Wi-Fi’s public nature and the willingness with which many people install updates to popular software like Adobe’s Flash. Hackers are said to have used the tactic to steal information from people traveling in Asia, but researchers found that the malware infected computer across North America and Europe, too.

The hackers are said to have targeted specific individuals — people they knew were visiting a hotel. Attackers also knew what room the targets were staying in, when they would arrive, and when they would depart — while ignoring others. Most of the attacks were made between 2010 and 2013, but Kaspersky says it’s investigating reports of attacks made in 2014. It’s not clear how the hackers knew about their targets’ plans, how they selected their targets, or even who the hackers really are.

Knowing about these attacks doesn’t just add to the list of reasons not to use hotel Wi-Fi — it also adds an item to the ever-growing list of reasons not to use public Wi-Fi, period.

Public Wi-Fi networks are tempting. Cellular data is expensive, it doesn’t reach everywhere, and many services work better with a reliable Wi-Fi connection than a cellular one. Connecting to a Wi-Fi network makes life a lot easier. It also makes everything transmitted via the connection easier for someone to steal, thanks to faulty security features and even worse business plans.

Consider the news that broke in July about how Google, Comcast, AT&T, and other companies made users vulnerable to attack. Google put people at risk by having its Android phones trust certain networks based only on their name; the others did so by naming all of their public Wi-Fi networks the same thing. The combination of the two created a situation where hackers could steal data just by setting up a network bearing the same name as already-trusted connections.

Then there was the news that Comcast is injecting advertisements into browsers connected to its public Wi-Fi networks. Besides annoying their viewers, the ads also make the connection even less secure than it was before, as Ars Technica reported back in September:

Even if Comcast doesn’t have any malicious intent, and even if hackers don’t access the JavaScript, the interaction of the JavaScript with websites could ‘create’ security vulnerabilities in Websites, Schoen said. ‘Their code or the interaction of code with other things could potentially create new security vulnerabilities in sites that didn’t have them,’ Schoen said in a telephone interview.

Now it seems that hotel Wi-Fi can be used to steal information from specific targets chosen by unknown hackers because they carry undisclosed information and traveled in some of the most popular countries in Asia. So there are two options: accept all these risks for the sake of convenience, or deal with slower, more expensive cellular connections to remain a little more secure. Neither option is particularly compelling, I’ll admit, but this is the sad reality of Internet security in 2014.

Nathaniel Mott

Nathaniel Mott is a staff writer for PandoDaily, covering startups and technology from New York.

]]>http://pando.com/2014/11/10/darkhotel-offers-yet-another-reason-not-to-use-hotel-wi-fi/feed/0shiningnathanielmottshiningGoogle snoops on public Wi-Fi networks, then asks the Supreme Court to defend ithttp://pando.com/2014/04/02/google-snoops-on-public-wi-fi-networks-then-asks-the-supreme-court-to-defend-it/
http://pando.com/2014/04/02/google-snoops-on-public-wi-fi-networks-then-asks-the-supreme-court-to-defend-it/#commentsWed, 02 Apr 2014 14:00:14 +0000http://pando.com/?p=135488failed to persuade an appeals court that gathering the data was protected by the Wiretap Act because it “only” collected unencrypted information from public networks that anyone could access. Circuit Judge Jay Bybee wrote in the […]]]>

Google has asked the United States Supreme Court to consider its case that collecting emails, passwords, and other personal information as part of its Street View program was legal.

The request comes after the company failed to persuade an appeals court that gathering the data was protected by the Wiretap Act because it “only” collected unencrypted information from public networks that anyone could access. Circuit Judge Jay Bybee wrote in the court’s decision that this defense is faulty. “Even if it is commonplace for members of the general public to connect to a neighbor’s unencrypted Wi-Fi network,” Bybee wrote, “members of the general public do not typically mistakenly intercept, store, and decode data transmitted by other devices on the network.” Snooping on public Wi-Fi networks is not allowed by the Act, Bybee and the other judges hearing the case decided, and the lawsuit was allowed to continue.

Google thinks otherwise. It argues in its request that the appeals court’s decision threatens the Act’s ability to protect Americans from having their phone calls intercepted because of how it defines “radio waves.” Furthermore, Google claims it “fails to account for modern technological developments and will have wide-ranging harmful consequences,” arguing that because security professionals sometimes accidentally gather information from public Wi-Fi networks that this decision will prevent them from doing their jobs.

Wired contests those claims. “If the Supreme Court hears the case and eventually rules that unencrypted Wi-Fi sniffing is legal, that might be seen as a boon to criminals who eavesdrop on public access points to sniff out passwords or credit card numbers,” it notes in its report. Put another way: Google’s contention that its collection of medical records, private messages, and other personal information should be ignored because any arguments against that right will create more problems than they solve is deceitful. But Google isn’t worried about that — the company has a history of relying on underhanded defenses of the Street View program.

In December 2013, Pando’s Yasha Levine described Google’s attempts to confound Federal Communications Commission investigators as they looked into the Street View program:

As FCC regulators struggled to get a handle on Google’s mass surveillance program, the company used every corporate crisis management trick in the book to avoid scrutiny. It issued a series of shifting denials that its Street View cars collected wireless transmissions, ignored requests for documents, misled investigators about the extent of its data collection and, in a last ditch effort, tried shifting the blame for the whole thing on a single Google engineer. The company claimed that this employee had gone rogue, building and deploying the Wi-Fi surveillance feature without approval of his superiors.

In the end, FCC investigators obtained documents and internal correspondence showing without a doubt that upper management knew about and signed off on Street View’s wiretapping capabilities. And even more disturbing: the FCC obtained emails showing Google had been analyzing and integrating the data that it had intercepted.

Google hasn’t offered an honest defense of its Street View program in all the years that government officials have been investigating its systematic erosion of consumer privacy. The company claims that the information gathered from public Wi-Fi networks was collected by accident, but then analyzed that very data it had intercepted. It argues that any decision against its right to collect that information could further endanger the privacy of millions of people, but seems to think that its attempts to gather personal information should be protected by the same laws it hopes to undermine. Now Google wants to bring the Supreme Court into the mix.

Perhaps the company could use Street View to find the “don’t be evil” principles it once held.

Reactions from around the Web

Ars Technica notes how important a Supreme Court verdict on this issue would be:

Google wants the Supreme Court to reverse a decision concluding that the media giant could be held liable for hijacking data on unencrypted Wi-Fi routers via its Street View cars.

The legal flap should concern anybody who uses open Wi-Fi connections in public places like coffee houses and restaurants. That’s because Google claims it is not illegal to intercept data from Wi-Fi signals that are not password protected.

PCWorld adds further background on the case and notes that the FCC’s unwillingness to bring Google to bear could assist it if the Supreme Court decides to hear its argument:

Between 2007 and 2010, Google equipped its Street View cars with Wi-Fi antennas and software that collected data transmitted by Wi-Fi networks in nearby homes and businesses, which included both network identifying information and so-called payload data transmitted over unencrypted Wi-Fi networks. The company acknowledged in May 2010 that it had inadvertently collected some personal data from unencrypted networks and apologized for it.

Google in its appeal to the Supreme Court does not, however, accept that the collection of the data was illegal, pointing out that the U.S. Department of Justice, Federal Trade Commission and the Federal Communications Commission declined to take enforcement action after investigating Google, including for possible violations under the Wiretap Act.

And the most troubling part of the story: we would have never found out about any of this, if it hadn’t been for a few persistent German regulators, who hounded Google and forced it to disclose its internal Street View documentation. Without them, Google would still be spying on our internet traffic, and we’d be none the wiser.

Google’s Street View program showed the dangers of allowing seemingly benevolent technology companies to deploy powerful surveillance technology in public spaces with zero oversight. It also showed how little power the average person has against a giant company like Google, how little protection or recourse we have.

Nathaniel Mott

Nathaniel Mott is a staff writer for PandoDaily, covering startups and technology from New York.

]]>http://pando.com/2014/04/02/google-snoops-on-public-wi-fi-networks-then-asks-the-supreme-court-to-defend-it/feed/3google_cameras_big_featurenathanielmottgoogle_cameras_insideCustomer stalking, coming soon to a store near youhttp://pando.com/2013/08/23/customer-stalking-coming-soon-to-a-store-near-you/
http://pando.com/2013/08/23/customer-stalking-coming-soon-to-a-store-near-you/#commentsSat, 24 Aug 2013 00:05:26 +0000http://pandodaily.com/?p=102370Synqera, a Russian software that lets brick and mortar shops target customers with personalized ads and offerings in store. With Synqera, consumers check in at the front door by swiping their rewards card in a machine called a loyalty generator, which prints out customized coupons, food recipes, store maps, or other items. Then…]]>

Synqera’s loyalty generator, which gives customers customized coupons and information when they enter the store.

I’m not so sure that comparing your technology to a scene from “Minority Report” is a good thing. But no one told the founders of Synqera, a Russian software that lets brick and mortar shops target customers with personalized ads and offerings in store.

With Synqera, consumers check in at the front door by swiping their rewards card in a machine called a loyalty generator, which prints out customized coupons, food recipes, store maps, or other items. Then as the person shops, they pass digital screens called simplates which can tell the shoppers’ age, gender, and mood. The simplate triggers demographic ads targeted at the specific shopper nearest to it. Weird.

Synqera’s simplate device, which senses shoppers’ age, gender, and mood through a webcam and then delivers tailored ads

Whether or not privacy critics like it, the Synqera technology is the future of retail shopping. It’s part of a big trend now in companies stalking their customers’ in-store activity, as covered by The New York Times last month. E-commerce platforms like Amazon have tons of data on who visits their site when, what they buy, and where they go next online. Brick-and-mortar shops want in on the action so they can tailor the store layout, product displays, and special offers to customer behavior.

If you live in Russia, you may very well come across a Synqera simplate or loyalty generator if you shop at the retail chain Ulybka Radugi. That’s where the technology is being pilot tested, and soon Synqera will announce the results of the test and enter into negotiations with other retailers. Synqera is looking for a US-based sales executive to tap the worldwide market, so it may be sooner rather than later that we see the technology in the States.

Demonstrating his product on Google Hangouts, founder Filipp Shubin likened the Synqera technology to that moment in “Minority Report,” where Tom Cruise enters The Gap and gets greeted by a hologram who scans his retinas and knows what he purchased last time he was there. It’s a dubious Big Brother description. But hey, who doesn’t like a cheerful hologram that knows your shopping history and is happy to see you?

Customized coupons like those offered by Synqera are cool, but it remains to be seen whether customers are comfortable with what it takes to get them. Having your movements and emotions tracked in person at a store feels a lot creepier than the invisible cookies collecting your data online. Nordstrom’s learned this the hard way when it started following its customers’ movements through their smart phone WiFi connections. The store put up signs letting people know, and Nordstrom got enough complaints to close the program soon after launching it.

Despite Nordstrom’s struggles, the in-person customer tracking market is alive and thriving. Synqera is the latest product in a big range of companies that boast about “[a]nalyzing more than 20 million shoppers a month across dozens of retail chains.” RetailNext and Brickstream use video and smartphone WiFi to see how long people spend in each section of a store. Nomi tracks customers through their mobile’s signals to see whether they’re repeat or new. RealEyes offers a Synqera-like emotion sensing technology, which can tell how people feel when they watch an ad on a digital screen in a store. The list goes on.

Despite the privacy concerns, this technology isn’t going away anytime soon. For retailers the products are a boon. There’s a reason why Amazon’s “Customers who bought this item also bought…” feature is so popular. Advertising 101: Ads work better when they suit the people they’re targeted to. And customers who aren’t too creeped out by the stalk factor might appreciate the personalized coupons or product suggestions. Give it a decade and The Gap scene from the “Minority Report” may be real life, not sci-fi.

]]>http://pando.com/2013/08/23/customer-stalking-coming-soon-to-a-store-near-you/feed/0Screen Shot 2013-08-23 at 4.25.13 PMcarmeldeeSynqera's Loyalty Generator, which gives customers customized coupons and information when they enter the store.Screen Shot 2013-08-23 at 4.40.21 PM“Data is a true commodity that users want to commoditize even further”http://pando.com/2013/08/06/data-is-a-true-commodity-that-users-want-to-commoditize-even-further/
http://pando.com/2013/08/06/data-is-a-true-commodity-that-users-want-to-commoditize-even-further/#commentsTue, 06 Aug 2013 13:00:52 +0000http://pandodaily.com/?p=99162Google and Microsoft to Karma and FreedomPop, are trying to make it easier to get online at no cost to consumers. Internet access has transitioned from luxury to commodity, at least for those who live where these companies are able to operate. FreedomPop wants […]]]>

The days of squatting at a Starbucks for access to their free Wi-Fi might be coming to an end. An increasing number of companies, from Google and Microsoft to Karma and FreedomPop, are trying to make it easier to get online at no cost to consumers. Internet access has transitioned from luxury to commodity, at least for those who live where these companies are able to operate.

FreedomPop wants to continue the commoditization of data by offering free Internet access over Sprint’s LTE network. The company is today announcing the FreedomSpot 5580 LTE hotspot, its first device to operate on the network and a precursor to the company’s entry into the smartphone market later this Fall. The device will offer 500 megabytes of free data each month — users can elect to purchase more data or simply use FreedomPop as a free service.

“Data is a true commodity that users want to commoditize even further,” says FreedomPop CEO Stephen Stokols. Many people don’t want to pay for Internet access, he says, and would prefer to avoid paying an exorbitant amount for data they probably aren’t even using. (Which I did just last week when I paid Verizon $60 for 3 gigabytes of data despite only needing the hotspot for a day or two.) Stokols hopes that offering free data will allow FreedomPop to gain traction while simultaneously earning the trust of its users, some of whom might be willing to pay for extra data, “rollover” features, and the like.

FreedomPop has also commoditized the hardware used to access its service. The company sells “sleeves” for the iPhone and iPod touch, a “hub” that offers home Internet access, a hotspot, and, soon, a phone and other devices.

“It’s pretty easy for us to add initial devices and niche devices that will allow us to go for a slightly bigger market,” Stokols says. “If we want to take on the whole market we have to have more than just a hotspot, or even a hotspot and a digital hub for the home.”

The company is betting that there’s an empire to be built atop layer after layer of commoditized products and services. It’s giving customers between 500 megabytes and 1 gigabyte of data for free, each month. It’s selling the products used to access its service at low prices meant to get them to as many consumers as possible. And soon, it will begin offering free service to smartphones that can be bought cheaply from its store or brought over from another carrier. Then it just needs to show that there’s some proof that offering a free service on cheap or effectively free devices can somehow equal a sustainable company.